I used to assume that school tech companies collected student data only to make their products work. After reporting on education-technology contracts and privacy fights, I learned to treat that assumption with skepticism. If your district uses AI tools—homework helpers, adaptive learning platforms, or proctoring services—it's important to know whether those vendors are sharing or monetizing students' information with advertisers. Below I share practical steps I use when investigating a vendor, what red flags to watch for, and how to press your district for clearer answers.

Start with the obvious: privacy policies and terms of service

The quickest way to get a baseline is to read the vendor's Privacy Policy and Terms of Service. Yes, they are long. But they often reveal whether data is sold, shared with third parties or used for advertising.

  • Look for explicit language: phrases like "we sell," "we share with advertisers," or "use data for advertising."
  • Find definitions of "personal data" and "control identifiers"—do they include persistent IDs, hashed emails, device IDs, or behavioral profiles?
  • Check retention and deletion policies: how long do they keep student data, and what is the deletion process?

    • Be mindful that some companies will avoid the word "sell" and instead use vague phrases like "share with partners" or "provide to service providers." That can mask commercial relationships with advertising networks.

    Map the data flow: what the tool collects and where it goes

    Understanding what a tool collects helps you gauge the risk. AI tools typically need inputs—text prompts, assignments, grades, voice recordings—to function. But not all collected data needs to leave the school systems' servers.

  • Does the product process data locally, or does it upload to cloud servers?
  • Is student data used to train AI models? If so, is that training done with identifiable data or aggregated/anonymized inputs?
  • Are there SDKs (software development kits) or third-party libraries embedded in the app? Analytics SDKs (Google Analytics, Firebase, Mixpanel), ad SDKs (AdMob, Facebook Audience Network) or tracking pixels can indicate sharing with advertising ecosystems.

    • Tools like the browser developer console, privacy inspector extensions (uBlock Origin, Privacy Badger), or mobile app decompilers can reveal outbound connections. If you're not technical, ask a tech-savvy parent, a local university student, or a community volunteer to help trace network calls from school-provided devices.

    Check the contract and data processing addendum

    District contracts and Data Processing Agreements (DPAs) are the most reliable sources of what a vendor is allowed to do. I always ask my local district for the contract or the specific sections that address data use.

  • Does the contract expressly forbid targeted advertising to students or using student data for ads?
  • Does the DPA limit data use to "performing the service" and explicitly prohibit data for training models or monetization?
  • Is there an audit clause allowing the district to verify the vendor's practices, and are there penalties for violations?

    • If the district refuses to share the contract, many states classify these agreements as public records. You can file a public records request or FOIA-equivalent in your state (see the sample request table below).

    Watch for common red flags

    These are specific warning signs I look for when evaluating whether a vendor might be selling data to advertisers:

  • Vague language in privacy documents about sharing with "partners" or "service providers" without naming or categorizing them.
  • Presence of ad tech or analytics SDKs in apps used by students.
  • Data retention periods that are indefinite or unusually long.
  • Clauses allowing vendors to monetize "anonymized" or "aggregated" data without strict re-identification protections.
  • Third-party cookies or cross-device linking capabilities—this makes it easier to combine school-based identifiers with commercial profiles used for ad targeting.

    • Questions to ask your district and the vendor

    I've found a short script of pointed questions gets clearer answers than open-ended requests. Share these in district meetings, PTA sessions, or emails to administrators and vendors.

  • Does the vendor use student data for advertising or share data with advertisers?
  • Is student data used to train AI models that are also sold or used outside the district?
  • Which third parties receive student data, for what purposes, and under what contracts?
  • Can parents opt their children out of data-sharing, and how is that opt-out enforced?
  • Are there security audits, certifications (SOC 2, ISO 27001) or independent assessments of the vendor’s data practices?

    • Use public records and consumer-protection laws

    When answers are incomplete, public records laws are powerful. I keep my requests specific and time-bound, which makes responses easier for officials to produce.

    What to request Why it helps
    Vendor contract and DPA Shows permitted uses and restrictions on data sharing
    Vendor privacy policy versions and notices to the district Reveals historical changes and whether vendor practices changed post-contract
    List of third-party sub-processors or partners Identifies ad networks, analytics firms, or cloud providers
    Audit reports or security assessments Evidence of compliance and controls

    Look to state and federal law

    Different states have different protections: California's Student Online Personal Information Protection Act (SOPIPA), Vermont and Washington laws, and the federal COPPA/CIPA rules affect some uses of student data. Ask whether the district has legal counsel review vendor compliance with applicable laws. That review should be documented and ideally available to the public.

    When a vendor says "we don't sell data."

    Be skeptical, but not dismissive. Vendors often craft language to comply with consumer privacy laws like the CCPA without actually stopping downstream ad-related uses. Ask for specifics: if they don't sell, do they allow sharing for advertising? Can they provide a list of third parties who receive identifiable or pseudonymized student data? Can they demonstrate technical measures preventing linking school identifiers to commercial ad profiles?

    What parents and teachers can do practically

  • Push for strict contract language that bans targeted advertising, prohibits using student data to train commercial AI, and requires vendor transparency.
  • Demand easy opt-outs for parents and alternatives for students whose families decline data-sharing.
  • Organize with other parents and teachers to request audits or independent privacy reviews—there's power in numbers.
  • Encourage the district to prioritize privacy-preserving tools: open-source platforms or vendors that support local processing and minimal data collection.

    • It can feel overwhelming, but a focused set of questions, records requests, and community pressure can move districts toward safer practices. The goal isn't to block innovation in education; it's to ensure that technology helps students without turning their personal information into a commodity for advertisers.